subscriptions/.github/workflows/release.yml at main · solana-program/subscriptions · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
name: Release

on:
  workflow_dispatch:
    inputs:
      network:
        description: Target network
        type: choice
        options: [devnet, mainnet]
        required: true
      priority-fee:
        description: Priority fee (microlamports per CU)
        type: string
        default: '100000'

permissions:
  id-token: write
  contents: read

concurrency:
  group: release-${{ inputs.network }}
  cancel-in-progress: false

env:
  PROGRAM: subscriptions_program
  PROGRAM_ID: De1egAFMkMWZSN5rYXRj9CAdheBamobVNubTsi9avR44
  REPO_URL: https://github.com/solana-program/subscriptions

jobs:
  release:
    name: Release ${{ inputs.network }}
    runs-on: ubuntu-latest
    timeout-minutes: 120
    steps:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Load deploy config from Doppler
        uses: dopplerhq/secrets-fetch-action@451892f16195f9ac360e1a5bcbf0b5fd0e957534 # v2.0.0
        with:
          auth-method: oidc
          doppler-identity-id: ${{ vars.DOPPLER_SERVICE_IDENTITY_ID }}
          doppler-project: subscriptions
          doppler-config: ${{ inputs.network == 'mainnet' && 'prd_github' || 'stg_github' }}
          inject-env-vars: true

      - uses: ./.github/actions/setup
        with:
          rust-cache-key: 'release-${{ inputs.network }}'
          solana-version: 'v4.0.0'

      - name: Install solana-verify
        run: cargo install solana-verify --locked

      - name: Materialize deployer keypair
        run: |
          install -m 600 /dev/null /tmp/deployer.json
          printf '%s' "$DEPLOYER_KEYPAIR" > /tmp/deployer.json

      - name: Derive deployer pubkey
        id: deployer
        run: |
          PUBKEY=$(solana-keygen pubkey /tmp/deployer.json)
          echo "pubkey=$PUBKEY" >> "$GITHUB_OUTPUT"

      - name: Configure Solana CLI
        run: solana config set --url "$RPC_URL" --keypair "$HOME/.config/solana/id.json" > /dev/null

      - name: Generate IDL
        run: just generate-idl

      - name: Build verified program
        uses: solana-developers/github-actions/build-verified@eb606791e11d06eb92593dfd3404bf0d4c809121
        with:
          program: ${{ env.PROGRAM }}

      - id: write-buffer
        if: inputs.network == 'devnet'
        name: Write program buffer
        uses: solana-developers/github-actions/write-program-buffer@eb606791e11d06eb92593dfd3404bf0d4c809121
        with:
          program: ${{ env.PROGRAM }}
          program-id: ${{ env.PROGRAM_ID }}
          rpc-url: ${{ env.RPC_URL }}
          keypair: ${{ env.DEPLOYER_KEYPAIR }}
          buffer-authority-address: ${{ steps.deployer.outputs.pubkey }}
          priority-fee: ${{ inputs.priority-fee }}

      # ============================================
      # devnet: direct upgrade by deployer
      # ============================================
      - if: inputs.network == 'devnet'
        name: Upgrade program (devnet)
        uses: solana-developers/github-actions/program-upgrade@eb606791e11d06eb92593dfd3404bf0d4c809121
        with:
          program: ${{ env.PROGRAM }}
          program-id: ${{ env.PROGRAM_ID }}
          buffer: ${{ steps.write-buffer.outputs.buffer }}
          rpc-url: ${{ env.RPC_URL }}
          keypair: ${{ env.DEPLOYER_KEYPAIR }}

      - if: inputs.network == 'devnet'
        name: Upload IDL via program-metadata (devnet)
        uses: solana-developers/github-actions/metadata-upload@eb606791e11d06eb92593dfd3404bf0d4c809121
        with:
          program-id: ${{ env.PROGRAM_ID }}
          rpc-url: ${{ env.RPC_URL }}
          keypair: ${{ env.DEPLOYER_KEYPAIR }}
          idl-path: idl/subscriptions.json
          priority-fees: ${{ inputs.priority-fee }}

      # ============================================
      # mainnet: prepare Squads-owned buffers
      # ============================================
      - if: inputs.network == 'mainnet'
        id: prepare-squads-release
        name: Prepare Squads release buffers (mainnet)
        uses: solana-developers/github-actions/prepare-squads-release@b480a01c45f5670da8e9d76fa03d30d9deb7153d
        with:
          program: ${{ env.PROGRAM }}
          program-id: ${{ env.PROGRAM_ID }}
          rpc-url: ${{ env.RPC_URL }}
          keypair: ${{ env.DEPLOYER_KEYPAIR }}
          squads-vault: ${{ env.SQUADS_VAULT }}
          metadata-path: idl/subscriptions.json
          priority-fee: ${{ inputs.priority-fee }}
          export-verify-pda: 'true'
          repo-url: ${{ env.REPO_URL }}
          commit-hash: ${{ github.sha }}

      - if: inputs.network == 'mainnet'
        name: Confirm mainnet buffer handoff
        run: |
          : "${SQUADS_VAULT:?Set SQUADS_VAULT in Doppler prd_github}"
          echo "Program buffer authority assigned to Squads vault: $SQUADS_VAULT"
          echo "IDL metadata buffer authority assigned to Squads vault: $SQUADS_VAULT"

      - name: Cleanup keypair
        if: always()
        run: rm -f /tmp/deployer.json

      - name: Summary
        run: |
          echo "## Release: ${{ inputs.network }}" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "- Program: \`${{ env.PROGRAM_ID }}\`" >> $GITHUB_STEP_SUMMARY
          echo "- Commit: \`${{ github.sha }}\`" >> $GITHUB_STEP_SUMMARY
          if [ "${{ inputs.network }}" = "mainnet" ]; then
            echo "- Buffer: \`${{ steps['prepare-squads-release'].outputs.buffer }}\`" >> $GITHUB_STEP_SUMMARY
            echo "- IDL buffer: \`${{ steps['prepare-squads-release'].outputs['metadata-buffer'] }}\`" >> $GITHUB_STEP_SUMMARY
            echo "- Verify PDA transaction exported: \`true\`" >> $GITHUB_STEP_SUMMARY
            echo "- Buffer authority: \`${{ env.SQUADS_VAULT }}\`" >> $GITHUB_STEP_SUMMARY
            echo "- **Action required**: create the Squads upgrade proposal using the listed buffers" >> $GITHUB_STEP_SUMMARY
            echo "- CI keypair role: fee payer and buffer writer only; it does not need Squads membership" >> $GITHUB_STEP_SUMMARY
          else
            echo "- Buffer: \`${{ steps.write-buffer.outputs.buffer }}\`" >> $GITHUB_STEP_SUMMARY
          fi